Feeds

€25k for an old Nokia handset?

Scammers pay through the nose for old tech

Choosing a cloud hosting partner with confidence

Scammers are reportedly prepared to pay €25,000 for German Nokia 1100 handsets, on the basis that they can be reprogrammed to intercept SMS messages and thus crack banking security.

The claim comes from Ultrascan, a security association that generally follows up 419 scams and ID theft. Ultrascan tells us it was approached by Dutch police concerned that the price of a second-hand Nokia 1100 was unexpectedly rising. The company subsequently discovered that buyers were interested in a security flaw that makes the German version of the handset worth so much, though the technical background remains obscure.

The supposed exploit is based around codes - mTAN - that are sent to customers over SMS and are unique to each mobile-banking transaction. The premise is that criminals have "thousands" of login details and just lack these single-use codes, so are trying to get hold of Nokia 1100 handsets to intercept them.

The problem with this hypothesis is that the GSM security model is managed by the SIM, which colludes with the network's authentication server to create an encryption key which is made available to the handset. Communications can only be intercepted by getting hold of that key, or breaking the encryption itself, neither of which is easier to do while in possession of a Nokia 1100, German or otherwise.

We put these technical issues to Ultrascan who told us that it "did not investigate [the technical] part", but is hoping to get hold of a 1100 for testing in the next few days to see what is possible.

In the early days of GSM some operators introduced a critical flaw (zeros) into early versions of GSM cryptography, to enable the use of cheaper SIMs, but almost all operators have since upgraded to proper security and 3G networks have open algorithms that are well known to be pretty secure. Some countries, such as Pakistan, aren't permitted to use cryptography so still suffer from SIM-cloning and the like, but such places don't generally offer mobile banking for obvious reasons.

Ultrascan says it'll be in touch when it has more technical details, but for the moment it's beyond us how one phone can intercept calls made to a different SIM, and it seems more likely that one scammer is simply ripping off another with promises of magic handsets. ®

Remote control for virtualized desktops

More from The Register

next story
YOU are the threat: True confessions of real-life sysadmins
Who will save the systems from the men and women who save the systems from you?
Broadband sellers in the UK are UP TO no good, says Which?
Speedy network claims only apply to 10% of customers
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
Virgin Media struck dumb by NATIONWIDE packet loss balls-up
Turning it off and on again fixes glitch 12 HOURS LATER
Ofcom snatches 700MHz off digital telly, hands it to mobile data providers
Hungry mobe'n'slab-waving Blighty swallows spectrum
Fujitsu CTO: We'll be 3D-printing tech execs in 15 years
Fleshy techie disses network neutrality, helmet-less motorcyclists
Facebook, working on Facebook at Work, works on Facebook. At Work
You don't want your cat or drunk pics at the office
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Reducing the cost and complexity of web vulnerability management
How using vulnerability assessments to identify exploitable weaknesses and take corrective action can reduce the risk of hackers finding your site and attacking it.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.